GHSA-rxhx-9fj6-6h2m – enum-map

Package

Manager: cargo
Name: enum-map
Vulnerable Version: >=2.0.0-2 <2.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

enum_map macro can cause UB when `Enum` trait is incorrectly implemented Affected versions of this crate did not properly check the length of an enum when using `enum_map!` macro, trusting user-provided length. When the `LENGTH` in the `Enum` trait does not match the array length in the `EnumArray` trait, this can result in the initialization of the enum map with uninitialized types, which in turn can allow an attacker to execute arbitrary code. This problem can only occur with a manual implementation of the Enum trait, it will never occur for enums that use `#[derive(Enum)]`. Example code that triggers this vulnerability looks like this: ```rust enum E { A, B, C, } impl Enum for E { const LENGTH: usize = 2; fn from_usize(value: usize) -> E { match value { 0 => E::A, 1 => E::B, 2 => E::C, _ => unimplemented!(), } } fn into_usize(self) -> usize { self as usize } } impl<V> EnumArray<V> for E { type Array = [V; 3]; } let _map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() }; ``` The flaw was corrected in commit [b824e23](https://github.com/xfix/enum-map/commit/b824e232f2fb47837740070096ac253df8e80dfc) by putting `LENGTH` property on sealed trait for macro to read.

Metadata

Created: 2022-06-16T23:53:32Z
Modified: 2022-06-20T18:15:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rxhx-9fj6-6h2m/GHSA-rxhx-9fj6-6h2m.json
CWE IDs: []
Alternative ID: N/A
Finding: F113
Auto approve: 1